Xbox · Xbox Privacy Statement

Sensitive Data Collection (Health and Biometric)

High severity
Share 𝕏 Share in Share

What it is

Microsoft collects certain sensitive categories of personal data, including health-related information and in some products biometric data, subject to additional protections described in the Consumer Health Data Privacy Policy.

Why it matters

Health and biometric data are among the most sensitive categories of personal information, and their collection by a technology company with broad data-sharing practices warrants careful scrutiny, particularly for users of health-adjacent features.

Institutional analysis (Compliance & legal intelligence)

Collection of health and biometric data triggers GDPR Article 9 special category processing obligations (explicit consent or applicable exemption), HIPAA considerations for health-adjacent services, Washington My Health MY Data Act compliance, and equivalent state health privacy statutes; organisations should conduct DPIAs and review data minimisation practices.

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Consumer impact

Microsoft collects an extensive range of personal data — including location, voice, typed content, browsing history, and device diagnostics — across all its products and may combine this data for advertising, product improvement, and AI model training. Consumers' personal data may be shared with third-party advertisers, affiliates, and service providers, and inferred data about interests and behaviour is generated even from passive use. You can review and manage your privacy settings, including ad personalisation and data collection preferences, at https://account.microsoft.com/privacy.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.
  • Delete Your Data
    Submit a deletion request for health or biometric data via the Microsoft Privacy Response Center at https://aka.ms/privacyresponse, specifying the relevant product and data category.

Applicable agencies

  • Hhs Ocr
    HHS OCR has jurisdiction where health data collected by Microsoft falls under HIPAA-covered entity or business associate contexts.
    File a complaint →
  • FTC
    FTC has authority over unfair or deceptive practices in the collection and use of health and biometric data by consumer technology companies.
    File a complaint →

Provision details

Document information
Document
Xbox Privacy Statement
Entity
Xbox
Document last updated
March 24, 2026
Tracking information
First tracked
March 15, 2026
Last verified
March 15, 2026
Record ID
CA-P-00018006
Document ID
CA-D-00018
Evidence Provenance
Source URL
https://privacy.microsoft.com/en-us/privacystatement
Wayback Machine
View archived versions →
SHA-256
51f857cfab01371c333ae924cd2be10d1bba09bd06485c38cefff5414c1374f0
Verified
✓ Snapshot stored   ✓ Change verified
How to Cite
ConductAtlas Policy Archive
Entity: Xbox | Document: Xbox Privacy Statement | Record: CA-P-00018006
Captured: 2026-03-15 11:40:52 UTC | SHA-256: 51f857cfab01371c…
URL: https://conductatlas.com/platform/xbox/xbox-privacy-statement/sensitive-data-collection-health-and-biometric/
Accessed: April 4, 2026
Classification
Severity
High
Categories
Privacy Consent Surveillance Data sharing

Other provisions in this document